将 MySQL 查询转换为可能为空值的准备语句
Convert MySQL query into prepared statement with possible null value
为了防止 sql 注入,我正在将我的查询转换为准备好的语句。我还剩一个。它也包含一个可能的空值,因此它被证明有点困难。
正常:
// Declare $dbc, $varA, $varB, $varC, $ID
$varC = ($varC == '-') ? "NULL" : "'" . $varC . "'";
$query = "UPDATE myTable ";
$query .= "SET VARA = '{$varA}', VARB = '{$varB}', VARC = $varC ";
$query .= "WHERE ID = '{$ID}'";
$result = @mysqli_query($dbc, $query) or die("Error updating record: " . mysqli_error($dbc));
准备语句的尝试:
// Declare $dbc, $varA, $varB, $varC, $ID
$varC = ($varC == '-') ? "NULL" : "'" . $varC . "'";
$query = "UPDATE myTable ";
$query .= "SET VARA = ? VARB = ? VARC = ? ";
$query .= "WHERE ID = ?";
$stmt = mysqli_prepare($dbc, $query);
$bind = mysqli_stmt_bind_param($stmt, "ssss", $varA, $varB, $varC, $ID);
$exec = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
为什么不只是
$varC = ($varC == '-') ? null : $varC;
?
此外,您的查询中缺少逗号
$query .= "SET VARA = ?, VARB = ?, VARC = ? ";
编辑:
我只是 运行 修改了代码,它似乎工作正常。作为参考,这是我使用的代码:
<?php
error_reporting(-1);
ini_set('display_errors', 'On');
$dbc = mysqli_connect("127.0.0.1", "test", "test", "test");
$ID = "1";
$varA = "a";
$varB = "b";
$varC = "-";
$varC = ($varC == '-') ? null : $varC;
$query = "UPDATE myTable ";
$query .= "SET VARA = ?, VARB = ?, VARC = ? ";
$query .= "WHERE ID = ?";
$stmt = mysqli_prepare($dbc, $query);
$bind = mysqli_stmt_bind_param($stmt, "ssss", $varA, $varB, $varC, $ID);
$exec = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
您能否尝试将错误报告行添加到您的代码顶部,看看您是否收到任何错误?
为了防止 sql 注入,我正在将我的查询转换为准备好的语句。我还剩一个。它也包含一个可能的空值,因此它被证明有点困难。
正常:
// Declare $dbc, $varA, $varB, $varC, $ID
$varC = ($varC == '-') ? "NULL" : "'" . $varC . "'";
$query = "UPDATE myTable ";
$query .= "SET VARA = '{$varA}', VARB = '{$varB}', VARC = $varC ";
$query .= "WHERE ID = '{$ID}'";
$result = @mysqli_query($dbc, $query) or die("Error updating record: " . mysqli_error($dbc));
准备语句的尝试:
// Declare $dbc, $varA, $varB, $varC, $ID
$varC = ($varC == '-') ? "NULL" : "'" . $varC . "'";
$query = "UPDATE myTable ";
$query .= "SET VARA = ? VARB = ? VARC = ? ";
$query .= "WHERE ID = ?";
$stmt = mysqli_prepare($dbc, $query);
$bind = mysqli_stmt_bind_param($stmt, "ssss", $varA, $varB, $varC, $ID);
$exec = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
为什么不只是
$varC = ($varC == '-') ? null : $varC;
?
此外,您的查询中缺少逗号
$query .= "SET VARA = ?, VARB = ?, VARC = ? ";
编辑: 我只是 运行 修改了代码,它似乎工作正常。作为参考,这是我使用的代码:
<?php
error_reporting(-1);
ini_set('display_errors', 'On');
$dbc = mysqli_connect("127.0.0.1", "test", "test", "test");
$ID = "1";
$varA = "a";
$varB = "b";
$varC = "-";
$varC = ($varC == '-') ? null : $varC;
$query = "UPDATE myTable ";
$query .= "SET VARA = ?, VARB = ?, VARC = ? ";
$query .= "WHERE ID = ?";
$stmt = mysqli_prepare($dbc, $query);
$bind = mysqli_stmt_bind_param($stmt, "ssss", $varA, $varB, $varC, $ID);
$exec = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
您能否尝试将错误报告行添加到您的代码顶部,看看您是否收到任何错误?